Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix code_verifier length #319

Merged
merged 1 commit into from
Jun 7, 2024
Merged

fix code_verifier length #319

merged 1 commit into from
Jun 7, 2024

Conversation

mamico
Copy link
Contributor

@mamico mamico commented May 30, 2024

In the current implementation, code_verifier can exceed the length limits defined in the specification (43-128) because, once the byte string of the correct length is defined, it is base64 encoded to comply with the accepted character constraint, which increases its length.

An alternative implementation, as in:
https://github.com/RomeoDespres/pkce/blob/master/pkce/__init__.py#L19
could be

code_verifier = secrets.token_urlsafe(96)[:length]

@peppelinux peppelinux requested a review from rglauco May 30, 2024 12:07
@peppelinux
Copy link
Member

ILGTM

I believe that also the code snippet contained in the main documentation should be aligned to this PR
https://github.com/italia/spid-cie-oidc-docs/blob/a65aa1a6ccc2bf03d8c18dd8df2ee22ec2613316/static/pkce.py#L6

@peppelinux peppelinux merged commit 1c69e61 into italia:main Jun 7, 2024
2 of 4 checks passed
@mamico mamico deleted the code_verifier branch June 14, 2024 06:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants